Explorer 7: new browser, old security hole

Less than 12 hours after the launch of Internet Explorer 7, security researchers have already warned of a security hole in the new browser.

By
Peter Sayer, IDG News Service
| Oct 19, 2006

| IDG News Service

Share

TwitterFacebookLinkedInGoogle Plus

Less than 12 hours after the launch of Internet Explorer 7, security researchers have already warned of a security hole in the new browser.

Secunia has issued a warning that the latest version of Microsoft's ubiquitous software is still vulnerable to an earlier flaw it reported in Explorer 6 back in April. The vulnerability affects the final version of Explorer 7 running on Windows XP with Service Pack 2, the security company confirmed.

If a user visits a malicious website, the site could exploit the security flaw to read information from a separate, secure site to which the surfer is logged in. That could enable an attacker to read banking details, or messages from a Web-mail account, said Thomas Kristensen, Secunia's chief technology officer. "A phishing attack would be a good place to exploit this," he said.

One of the security features Microsoft touts for the new browser is the protection it offers users from phishing attacks.

Secunia rates the security flaw as "less critical", its second-lowest rating, and suggests disabling active scripting support to protect the computer. The flaw could result in the exposure of sensitive information and can be exploited by a remote system, Secunia said.

It is hard to exploit the flaw because it requires the attacker to lure someone to a malicious site, and for the attacker to know what other secure site the visitor might simultaneously have open, Kristensen said. "A quick user browsing through our website using Explorer 7 found it failed one of our tests," he said.

The company then verified the information, notified Microsoft and published a proof-of-concept exploit on its website.